The Platform
Built for the teams that have to defend, prove, and report.
ArmorPoint replaces the SIEM, GRC, and ticketing stack with one product where telemetry, response, and evidence share a single model. Five connected hubs, all included, nothing to bolt on later.
Architecture
One data model
Telemetry, response, and evidence on one schema, not three disconnected tools.
Shared evidence
The same data feeds your dashboards, the SOC, and the auditor.
Open integration SDK
Pre-built connectors for the tools you run. Build your own with the partner SDK.
Per-role views
Tailored lenses for analysts, compliance, and the C-suite.
VISUALIZE
See your security posture, not your tool sprawl.
Most tools hand you a blank dashboard and a setup project. ArmorPoint ships dashboards pre-built for the systems you already run, O365, Defender, FortiGate, and more, live on day one.
Dashboards
Pre-built for your firewall, Microsoft 365, and Windows. Or build your own.
Report Hub
White-label client reports, built from templates and delivered on schedule.
Data Canvas
Free-form live views, built for the monitor wall.
Posture Score
One 0-to-100 read on where you stand.
Security Posture
/ weighted composite
Live · 30-day trend
Six weighted security signals roll up to one auditable score.
Compliance Posture (16%)
56
Vulnerability Exposure (18%)
28
Identity Security (15%)
91
Vendor Risk (13%)
71
Endpoint Health (14%)
0
Detection & Response (12%)
0
LOW RISK
MODERATE
ELEVATED
HIGH RISK
Per-role view · analyst
Analyst
active
Manager
switch →
Auditor
switch →
Active investigations
7
Queue depth
23 alerts
My MTTR
11m
Detection rules I own
38
Manager and auditor views surface different metrics, drill paths, and report defaults. One data plane, three lenses.
Report Hub · schedule
Board pack, quarterly
PDF · CISO + audit committee · next: Mar 31
SOC 2 evidence packet
ZIP · auditor share · next: weekly Mon 06:00
MSP white-label · client A
PDF · branded · monthly
Vuln triage, engineering
CSV · queued · paused since Mar 12
Report runs deliver to email, Slack, S3, or SFTP. Same data, same auth, no copy-paste.
OPERATIONS
From signal to incident to closed ticket.
Detection is the easy part. AI-accelerated threat triage surfaces the signal that matters, not a flood of raw alerts, then a real analyst in our 24/7 U.S.-based SOC makes the call. We contain the threat on the rules of engagement you set, so you never lose control.
Alerts
Raw signals correlated into AI-scored alerts, validated by analysts.
Incidents
Assigned, owned, and worked to closure on one board.
Detection Hub
Pre-built detections, monitored for drift. MITRE ATT&CK mapping.
Tickets
Alert to incident to closed ticket, in one queue.
AI Triage Engine
/ AI-assisted signal classification
Live
Total Evaluated
142
● Benign
1
● Inconclusive
0
● Suspicious
0
● Malicious
2
Analyst Agreement
67%
Security Logic
Vertex AI Verdict Distribution
Confidence
Modal Outcome
CENSYS.IO.SCANNER
2 signals
● 1 BENIGN
0 INC
0 SUSP
● 1 MALIC
90%
50%
MODAL
MASSCAN.SCANNER
1 signal
0 BENIGN
0 INC
0 SUSP
● 1 MALIC
90%
100%
MODAL
APACHE.CAMEL.XSLT.COMPONENT
2 signals
0 BENIGN
0 INC
● 1 SUSP
0 MALIC
80%
100%
MODAL
FORTIGATE.FIREWALL.CONFIG
26 signals
0 BENIGN
0 INC
0 SUSP
0 MALIC
-
Awaiting Triage
Vertex AI auto-classifies every signal before analyst review. Confidence + modal-outcome agreement train the engine in flight.
cluster view · 4 of 78 rules
Incident #INC-2406
critical
Outbound C2 beacon, srv-app-12
03:51
Detection
Outbound traffic to known C2 IP 203.0.113.42 from srv-app-12 · matched IOC watchlist
03:53
Correlation
Linked to 4 prior beacons (last 24h) · same destination ASN · auto-promoted to incident
03:55
Assignment
Assigned to T2 analyst @k.rivera · CrowdStrike host isolation pre-staged (awaiting approval)
04:08
Containment approved
Customer approval received · firewall block deployed · host isolated
06:05
Eradication in progress
Process tree analyzed · 2 IOCs added to watchlist · forensic snapshot exported
Evidence chain · 7 artifacts
flow.pcap
process-tree.json
isolation-log.txt
approval.eml
Every artifact hashes to the evidence ledger. Same artifacts feed the SOC 2 control matrix.
Playbook · Suspicious C2 v3.2
running
Auto-deployed for INC-2406
Enrich with threat intel
CVE check · IOC match · ASN reputation · 1.4s
Correlate against asset criticality
srv-app-12 · CDE-tagged · owner: platform-eng
Request containment approval
via Slack to security-oncall · approved 13m
Isolate host + block egress
CrowdStrike · FortiGate · 0.6s
Forensic snapshot & collection
in progress · ETA 4m
6
Open ticket · platform-eng
queued
7
Add IOCs to watchlist
queued
v3.2 · last edited @j.morales · 2d ago
GOVERNANCE
Walk into audit season with the evidence already gathered.
The SSP, the PCI ROC, the HIPAA risk analysis, the SOC 2 system description: normally weeks of consultant work. ArmorPoint generates them from one control set mapped across your frameworks, every control linked to live evidence your SOC already produces.
Security Control Matrix
CMMC, SOC 2, PCI, HIPAA, NIST CSF, and custom.
POA&M Milestones
Every gap tracked to closure, with owners and deadlines.
Audit Documents
SSP, PCI ROC, HIPAA risk analysis, SOC 2 system description, generated.
Risk Register
Risks suggested from your gaps and vendors, scored and tracked.
Compliance Posture
/ framework coverage
Audit-ready
Continuous control evidence across all active frameworks.
CMMC L2
DoD supply chain
56%
SOC 2 Type II
AICPA service org controls
0%
PCI-DSS v4.0
Payment card data security
0%
HIPAA
Healthcare HIPAA safeguards
0%
NIST CSF 2.0
Cybersecurity framework
0%
Same telemetry that feeds the SOC feeds the auditor. Evidence is generated continuously, no quarterly screenshot scramble.
5 frameworks active
POAM Register
Plan-of-Action & Milestones
POAM-2031
in progress
auto-derived
Centralize audit log forwarding from legacy WAF
control: AU.L2-3.3.1
owner: @netsec
due: Apr 30
3 of 5 milestones · 7 evidence
60%
POAM-2042
overdue
Deploy outbound DNS filtering across CDE
control: SI.L2-3.14.6
owner: @platform-eng
due: Mar 15
1 of 4 milestones · 2 evidence
25%
POAM-2056
verifying
Auto-tag containers as CDE-scoped
control: AC.L2-3.1.5
owner: @cloud-team
due: Apr 10
4 of 4 milestones · 11 evidence
95% · auto-close pending
POAMs auto-derive from partial / missing controls. Closure verified against live evidence, not screenshots.
SSP Generator
System Security Plan · CMMC L2
·
3.1.1, Limit system access to authorized users
The organization restricts system access to authenticated users via a unified identity provider
(Microsoft 365 / Azure AD), enforced through conditional access policies and SSO. All access
decisions are logged in the Identity Hub data plane.
[Auto-inserted from live config]
· Authentication source: Azure AD (verified 2m ago)
· Conditional access policies: 14 active, 0 disabled
· MFA enforcement: 98.4% coverage (487/495 identities)
· Last access review: 18 days ago, within 30-day cadence
· Authentication source: Azure AD (verified 2m ago)
· Conditional access policies: 14 active, 0 disabled
· MFA enforcement: 98.4% coverage (487/495 identities)
· Last access review: 18 days ago, within 30-day cadence
3.1.5, Least privilege enforcement
Privileged role assignments are limited to documented operational requirements. Standing
privileged access is reviewed quarterly and just-in-time elevation is used for routine
administrative work.
Generation source
live
Identity Hub
Asset Hub
Detection rules
Vendor attestations
The narrative matches what's actually deployed, not what was true the day someone wrote it.
ENVIRONMENT
Know what you have before you defend it.
You can't patch what you don't know is running. The ArmorPoint Agent inventories every asset, every app, every missing patch, and every scheduled task across endpoints, cloud, and SaaS, so nothing runs in the dark.
Asset Hub
Every managed asset, with its vulnerability and patch posture.
CMDB Hub
Software, patches, and the scheduled tasks where attackers hide persistence.
Identity Hub
Cloud and on-prem identities, fully mapped.
Agents
Catches lateral movement, not just endpoint events. Covers the whole environment, not priced by data volume.
Integration Marketplace
Browse and connect the tools you run.
ArmorPoint Agent Fleet
/ live inventory
Live
Total deployed
142
One install. Continuous health, vulnerability, and configuration telemetry, no separate agent per tool.
● Online
128
● Degraded
4
● Offline
8
● Rogue
2
Operating Systems
⊕ Windows
92
› Linux
42
macOS
8
Asset Type
▤ Domain Controllers
4
▣ Servers
32
▢ Workstations
106
Last database sync · 2 minutes ago · CMDB drift detection active.
142 of 142 reporting
Identity Hub · posture
487 identities
MFA coverage
98.4%
479 enrolled
8 exempted · review
Privilege drift · 30d
+5 standing
Global Admin
4 ↑1
Privileged Auth Admin
7 ↑2
Service Principals
38 ↑2
Access review · in flight
42 of 56
Q1 cycle · 14 reviews pending · auto-revoke if not certified by Apr 5
Workflow Builder
draft v2
Auto-quarantine · suspicious endpoint
trigger: high-severity EDR alert · CDE-tagged asset
EDR alert · severity = critical · asset.tag contains "CDE"
if user.is_executive == false && asset.business_hours == false
Slack DM · #security-oncall · 5min timeout → escalate
· CrowdStrike: contain_host(asset.id)
· FortiGate: block_dst(c2.ip)
· Jira: create_ticket(team="platform-eng")
last run: 2h ago · 14 fired this week
THREAT INTEL
Context, not just IOCs.
Threat intel is usually a firehose nobody reads. ArmorPoint curates the sources, auto-extracts the indicators, and checks every CVE against your real inventory, so you spend your time on the handful that actually put your business at risk.
Curated feeds
Government, OSINT, and vendor advisories, in one feed.
IOC extraction
Indicators auto-extracted from every article.
IP Threat List
Block persistent attackers, pushed straight to your firewall.
Attack surface
Continuous external view of exposure.
Sandbox
Detonate suspicious files and URLs for a verdict.
Operations Overview
/ live telemetry · last 30d
Live
Incidents
100
2
CRIT
20
HIGH
40
MED
36
LOW
Alerts
628
6
CRIT
43
HIGH
417
MED
159
LOW
Vulnerabilities
79
1
CRIT
21
HIGH
49
MED
8
LOW
SOC MTTR
24m
4m
CRIT
12m
HIGH
45m
MED
2h
LOW
Every signal joined to its CVE, MITRE ATT&CK technique, and affected asset. One pivot from trend → root cause.
30-day rolling window
IOC Watchlist
1,847 active · auto-aged 30d
IP
203.0.113.42
3 hits
12d
SHA256
a1b2c8d9e4f7…3c
1 hit
4d
Domain
evil-cdn.io
DNS only
21d
URL
/admin/.env
5 attempts
2d
IP
198.51.100.7
no hits
aging
IOCs auto-age based on hit volume and feed confidence. No-hit IOCs decay out, low-value indicators
stop polluting your detection signal.
External Attack Surface
scanned 6h ago
Continuous outside-in
Domains
47
Open ports
128
Findings
9 ▲4
Exposed admin interface
admin.api.acme.com:8443 · no auth challenge
TLS 1.0 still enabled
legacy.acme.com:443 · 2 days drift
Subdomain takeover candidate
old-blog.acme.com → unclaimed S3 bucket
New asset detected
eu-staging.acme.com · not in CMDB
New attack-surface findings auto-create tickets in the Asset Hub and link to the relevant control matrix entry.
Ready when you are
See ArmorPoint in action.
Book 30 minutes with a security engineer and watch the platform work. Every hub is live in a full environment, populated with realistic data, so you see real detection, response, and evidence workflows end to end.